PostHog

PostHog NPM packages compromised
Resolved

With all malicious package versions unpublished, we're now actively hardening our npmjs deployment pipeline, our GitHub Actions workflows, and all Node projects to prevent a future incident. A public postmortem will follow with more detailed information, next steps, and learnings.

Tue, Nov 25, 2025, 02:40 AM
(5 days ago)
·
Affected components

No components marked as affected

Updates

Resolved

With all malicious package versions unpublished, we're now actively hardening our npmjs deployment pipeline, our GitHub Actions workflows, and all Node projects to prevent a future incident. A public postmortem will follow with more detailed information, next steps, and learnings.

Tue, Nov 25, 2025, 02:40 AM

Monitoring

It looks like we were victim of the following attack that's hit over 300 packages: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24.

Just to make sure, you want to delete node_modules and run pnpm cache delete if using pnpm to make sure you don't have any affected packages running.

We've unpublished all relevant versions, and have published newer versions for all JS SDKs. Make sure you're on the latest version of our JS SDKs.

The following packages were compromised:

  • posthog-node 4.18.1, 5.13.3 and 5.11.3

  • posthog-js 1.297.3

  • posthog-react-native 4.11.1

  • posthog-docusaurus 2.0.6

  • posthog-react-native-session-replay@1.2.2

  • @posthog/agent@1.24.1

  • @posthog/ai@7.1.2

  • @posthog/cli@0.5.15

  • @PostHog/wizard@1.18.1

The following versions are safe to install:

  • posthog-js@1.298.0

  • posthog-node@5.14.0

  • posthog-plugin-hello-world@1.0.0

  • posthog-react-native@4.13.0

  • posthog-react-native-session-replay@1.2.3

  • @posthog/agent@1.24.2

  • @posthog/ai@7.2.0

  • @posthog/cli@0.5.16

  • @PostHog/wizard@1.18.2

Mon, Nov 24, 2025, 04:32 PM(10 hours earlier)

Monitoring

It looks like we were victim of the following attack that's hit over 300 packages: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

We've unpublished all relevant versions, and have published newer versions for all JS SDKs. Make sure you're on the latest version of our JS SDKs.

The following packages were compromised:

  • posthog-node 4.18.1, 5.13.3 and 5.11.3

  • posthog-js 1.297.3

  • posthog-react-native 4.11.1

  • posthog-docusaurus 2.0.6

Mon, Nov 24, 2025, 10:28 AM(6 hours earlier)

Investigating

We've identified that several of our packages contain compromised versions. We've unpublished the affected versions for our main repo, and are published new, safe versions of the packages.

Mon, Nov 24, 2025, 09:42 AM(45 minutes earlier)

Investigating

We've identified that some client library packages published this morning contain compromised packages. We're working to patch and republish clean packages.

Mon, Nov 24, 2025, 09:39 AM

Investigating

We've identified that a version of our Javascript packages contains compromised packages. We're working to patch and republish clean packages.

Mon, Nov 24, 2025, 09:36 AM
Powered by
Privacy policy

·

Terms of service